safety codes council

Attachment A

Safety Codes Council

Enterprise Risk Management Framework

December 01, 2019

Version 1.0

Safety Codes Council Confidential

Enterprise Risk Management Framework i

Enterprise Risk Management Framework 1

Established by the Government of Alberta in 1993, the Safety Codes Council (“the Council”) is responsible to

the Minister of Municipal Affairs to administer portions of the safety codes system including:

The Board of Directors (“Board”) and Executive Committee (“EC”) recognize that risk management is an

important part of the Council’s annual business planning and long-term strategic planning process. The Council

defines risk as the effect of uncertainty on objectives. All risks with the potential to significantly impact the

Council or the achievement of the strategic plan are considered enterprise risks. The purpose of this document

is to outline the Program for identifying and managing the enterprise risks, although the approach and tools

may also be applied to assess risks related to any plans, programs, services, divisions, or new initiatives.

The Council’s Enterprise Risk Management (“ERM”) Framework and overall ERM Program are based upon the

International Organization for Standardization (“ISO”) 31000:2018 Risk Management – Principles and

Guidelines and the supporting Guide 73 Risk Management – Vocabulary (collectively referred to as “the

Standard”). ERM is the coordination of activities to direct the Council and control risk thereby creating and

protecting value, improving performance, encouraging innovation, and supporting the achievement of goals.

ERM is more than an exercise in risk avoidance and helps to identify priorities. It is as much about identifying

opportunities as avoiding or mitigating losses.

An effective ERM Program provides the following benefits:


Appendix A highlights some key definitions which will help in providing a better understanding of the terms

used throughout this ERM Framework.

The ERM oversight responsibility lies with the Board, which has delegated this responsibility to the Audit & Risk

Committee. Ultimately, the President and Chief Executive Officer (“CEO”) owns all risks and is responsible for

the effective management of risk for the Council as a whole. The Director, Corporate Strategy and

Communications is tasked with driving ERM implementation, including the integration and coordination

thereof, and EC is responsible for managing the risks.

Every employee of the Council is impacted in some way, by risks, so every employee has an active role in being

aware of risk and taking part in the risk management process. This involves understanding and applying the

ERM Framework as well as identifying, analyzing, and managing risks.

Every employee within the Council has responsibility for day-to-day management of risks, with some having

more responsibilities than others. The detailed ERM roles and responsibilities are outlined in Appendix B.


This ERM Framework has been developed to direct the risk management process for the Council, which is the

identification and assessment of risks that may prevent the Council from achieving its strategic goals. The risk

management process described herein is a structured approach to be integrated into broader management

practices of the Council.

The typical process shown below and contained within this Framework is extracted from the Standard and can

be applied to strategic goals, divisions, projects, or activities.

The sections below provide more detail on the steps outlined in Figure 2.


The risk management process applies equally to risks that arise at an enterprise level, at an operational or day-

to-day divisional level, or for new projects or activities. When embarking upon a risk assessment initiative, it is

therefore important to have a clear understanding of the objectives / goals of the Council (or plans, programs,

services, divisions, or new initiatives) for which the risk assessment is being completed. These objectives / goals

should be clearly articulated and validated with the respective stakeholders prior to the initiation of the risk

assessment initiative.

For the remainder of this document the steps will only reference strategic goals, but they remain applicable to

the plan, program, service, division, or new initiative being assessed (should the Council choose to apply the

risk management process at these levels).


This step requires the identification of risks which arise not only from the external

environment, but also from internal sources. While identifying risks, also consider the causes

and sources of the risk as well as their potential consequences to the Council. It is important to consider the full

range of risks, including those risks associated with not pursuing an opportunity. The risk universe (included in

Appendix C) provides categories of risks to assist the Council in identifying those critical to the Council. This list

is not meant to be exhaustive nor in exact alignment with how the Council conducts its business; rather, it is

intended to be a thought starter in the identification process.

Risks may be identified through the following activities:


During this step, the levels of inherent and residual risk are determined by analyzing the

likelihood (frequency or probability) and its consequence (magnitude of the impact), using the risk rating

criteria, included in Appendix E.

Inherent risk is the risk before considering existing controls / mitigation strategies that are currently in place.

Residual risk is the risk remaining after controls / mitigation strategies have been put in place to manage the

inherent risk.

Likelihood and consequence should be viewed both in the absence of existing controls (inherent risk), as well

as in the context of existing controls which may detect or prevent undesirable risks and events. This serves

either to demonstrate the importance of existing controls/strategies and justify their continuation, or to

identify those controls which are no longer necessary or cost-effective. This analysis also identifies the

significance of the risk exposure should the existing controls/strategies fail.

To evaluate the level of residual risk, the Council must identify those existing controls that have been

implemented to mitigate or manage the risk under consideration. It is important to ensure only existing (not

planned) controls are identified to provide an accurate reflection of the Council’s current risk exposure.


To understand the relative priority of each risk, an overall inherent and residual risk score

must be calculated and assessed against pre-established criteria (i.e. the Risk Matrix in

Appendix F). The risk score is determined by multiplying the ratings for likelihood and consequence separately

for inherent and then residual risk. Once the overall risk scores have been determined, the inherent and

residual risk scores are compared against the Risk Matrix to determine the overall risk rating (i.e. extreme,

high, moderate, or low).

The Risk Matrix reflects the Council’s risk appetite which is demonstrated by the coloring of each of the cells in

the Matrix. Essentially, any high or extreme level risks (orange or red) are outside of the Council’s risk appetite

and require the selection of one or more risk treatment strategies and identification and development of a

specific risk mitigation plan(s) on a timely basis. If the level of risk established is moderate or low (i.e. yellow or

green risks, then the risk may be tolerable and additional risk management plans are not required).

At this point, the Council should also review and refine the risk scores to not only ensure they are appropriate,

but to also ensure the prioritization of risks relative to one another aligns with EC expectations. Adjustments to

risk scores should be made to more accurately reflect the prioritization of the risks. This final residual risk rating

is then used in the following step (i.e. Risk Treatment) to determine the appropriate risk treatment strategy to

manage the risk to an acceptable level.


As a result of completing the previous steps, risks have now been prioritized and risks outside

of the Council’s risk appetite have been determined. Management is now responsible for

deciding how it will treat the risks that are in excess of its risk appetite. For risks with a

residual rating that is within the Council’s risk appetite, no further action is required. It is not the intent to

minimize, avoid, or remove all risks that are identified; rather that the Council understands the significant risks

(those outside of risk appetite) that could adversely impact the achievement strategic goals and, where

appropriate, establish plans to address them. In addition, the Council should assess whether opportunities exist

to exploit risks in support of achieving of its strategic objectives.

Various risk treatment strategies (or a combination thereof) are available for a given risk. Risk treatment

strategies are not mutually exclusive (i.e. they can be combined) or appropriate in all circumstances. There are

seven risk treatment strategies that can broadly be divided into the following four broad categories:

Selecting the most appropriate risk treatment strategy involves balancing the costs and efforts of

implementation against the benefits derived, with regards to legal, regulatory, and other requirements such as

social responsibility, stakeholder expectations, and the degree of control over each risk. More specifically, risk

treatment decisions should consider the likelihood and consequence of the risk in determining the need for

further treatment. For example, although a risk may have an extreme consequence, the potentially excessive

cost of implementing a risk treatment strategy may not be justifiable given its low likelihood. Accordingly, the

choice may be made to accept the risk, as opposed to taking further action to reduce or share it. In addition,

the Council should also recognize that implementing a specific risk treatment strategy may reduce the

likelihood or consequence of more than one risk, which may impact the cost-benefit analysis.

For all risk treatment strategies other than “accepting the risk”, a risk mitigation plan should be developed to

implement to the risk treatment strategy. Developing risk mitigation plans includes:


Once the ERM Program is implemented, it is important to monitor and review the

effectiveness of the Council’s ERM Program over a period of time. A well-crafted ERM

Program is only as effective as the dedication of the Council’s employees who adhere to the ERM principles and

incorporate them into their daily decision-making processes. Monitoring and review mechanisms help to:

Independent risk management evaluations are periodic reviews (typically every two to three years) of the

effectiveness of the Council’s ERM Program conducted by an independent party. Independent risk

management evaluations provide the Council with an opportunity to gain an objective perspective of the

effectiveness and maturity of the Council’s ERM Program.

The Council should continually monitor risks and the effectiveness of the plans, strategies, processes, and

management systems that have been established to manage risks and guide the implementation of risk

treatment strategies. To assess the effectiveness of the ERM Program, the Council should consider annually

whether risks are effectively identified and assessed and regularly monitored and reviewed thereby managing

residual risk within the risk appetite of the Council. The Council should also ensure new and emerging risks are

being considered and, where appropriate, integrated within the strategic risk register. Functions and processes

change, as can the strategic goals of the Council. Accordingly, risks should be regularly re-examined to ensure

the risks and the ways in which they are managed remain valid.

Ongoing monitoring and review are essential for managing risk and are the actions built into the normal

operating activities of the Council and are performed by risk owners considering implications of information

they receive. The presence of regular performance information or Key Risk Indicators (“KRIs”) can assist in

identifying likely trends, trouble spots and other changes which have arisen. The process of monitoring and

review ensures that risk management strategies continue to be effective and a vital part of the Council

business processes, while instilling a culture of continuous improvement.


The risk management process and its outcomes should be documented and reported

through appropriate mechanisms. Recording and reporting aims to:

Factors to consider for reporting include:

Risk reporting is essential to ensure that key stakeholders are kept abreast of the significant risks and the

actions resulting from risk management activities. In doing so, management and employees are better able to

make informed decisions relative to risks and better support the achievement of the Council’s objectives. The

risk reporting requirements for the Council are outlined in Appendix G.


Effective communication and consultation are essential to ensure that those responsible for

implementing risk management, and those with a vested interest, understand the basis upon which decisions

are made and the reasons why particular risk treatment options are selected. Communication seeks to

promote awareness and understanding of risk, whereas consultation involves obtaining feedback and

information to support decision-making. Close coordination between communication and consultation should

facilitate factual, timely, relevant, accurate, and understandable exchange of risk-related information.

Continuous communication and consultation with internal and external stakeholders during all stages of the

risk management process is pertinent, particularly when risk treatment strategies and risk management plans

are first being developed and when significant decisions need to be made. Risk management is enhanced

through effective communication and consultation when all parties understand each other’s perspectives and,

where appropriate, are actively involved in decision making.

Communication and consultation aim to:


Consequence Result or effect of a risk. The consequence can be certain or uncertain and can have positive or negative direct or indirect effects on the Council’s goals.

Control A measure that is modifying risk. Controls include any process, policy, device, practice, or actions which modify risk.

Cost Benefit Analysis

Cost benefit analysis is a systematic approach to estimating the strengths and weaknesses of alternatives that satisfy transactions, activities, or functional requirements for a business. In the context of ERM, it entails analyzing the costs involved in implementing additional risk management activities versus the additional benefit derived by implementing the risk management activities.

Divisions The Council’s group or functional units overseen by senior manager level staff.

Enterprise Risk Management

Coordinated activities to direct and control the Council regarding risk to create and protect value, improve performance, encourage innovation, and support achievement of goals.

ERM Framework A set of components that provide the foundations and organizational arrangements for the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording, and reporting risk throughout the Council.

ERM Program ERM Program describes how the Council intends to manage risk. Typically, the Program includes the ERM Policy, ERM Framework, and processes. It describes the management components, the approach, and the resources that are be used to manage risk, including procedures, practices, responsibilities, and activities.

Governance Processes by which an organization is directed, controlled, and held to account. It encompasses authority, accountability, stewardship, leadership, direction, and control exercised by the Council.

Inherent Risk The risk to the Council in the absence of any actions taken to alter either the risk’s frequency of occurrence and / or consequence.

Key Risk Indicator

A Key Risk Indicator, also known as a KRI, is an “early warning” indicator of a changing and emerging risks and should be aligned with the strategic priorities and key performance indicators (“KPIs”) of the Council as set out in its strategic plan. In certain instances, a KRI can be the same as an existing KPI. KRIs help to identify potential risks that may impede the success of the Council and/or harm the continuity of operations.

Likelihood The probability that the risk will occur within a fixed timeframe. Likelihood is usually expressed in terms of probability or frequency.

Residual Risk The remaining risk after actions have been taken to alter the risk’s frequency of occurrence and / or consequence.

Risk Risk is the effect of uncertainty on objectives. An effect is a deviation from the expected, either positive or negative.

Risk Analysis The process to comprehend the nature of risk and to determine the level of risk. Risk analysis provides the basis for risk evaluation and decisions about risk treatment.

Risk Appetite The amount and type of risk that the Council is willing to pursue or retain.

Risk Assessment The overall process of risk identification, risk analysis and risk evaluation.

Risk Context Risk context provides background information related to the risk to assist in understanding the nature, sources and causes of the risk.

Risk Evaluation The process of comparing the results of risk analysis with risk criteria to determine whether the risk and / or its magnitude is acceptable or tolerable. Risk evaluation assists in the decision about risk treatment.

Risk Identification

The process of finding, recognizing, and describing risks. Risk identification involves the identification of risk sources, events, their causes, and their potential consequences.


Risk Management

See Enterprise Risk Management.

Risk Management Process

The systematic application of policies, procedures, and practices to the activities of communicating and consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording, and reporting risk.

Risk Owner The person with the accountability and authority to manage a risk.

Risk Tolerance The level of variation around key performance indicators (“KPIs”) and KRIs that the Council is willing to accept in the pursuit of strategic goals and the management of related specific risks. In defining risk tolerance, KPIs and KRIs should be in place for strategic goals and risks.

Risk Treatment Strategy

The process to modify risk. This involves the selection and implementation of appropriate options for dealing with risk, which may include: ● ● ● ●

Stakeholders Parties that are affected by the Council such as the Municipal, Provincial, or Federal government, employees, regulators, customers, suppliers etc.

Strategic Risk Strategic risks are those risks that could prevent the Council from achieving its strategic objectives.

Turnover Turnover is the act of replacing an employee with a new employee. Turnover rate is the percentage of employees in a workforce that leave during a certain period of time.


Specific roles and responsibilities for each of the key roles identified in Section 3 Roles and Responsibilities are

provided in the table below:

Stakeholder Roles and Responsibilities

Board of Directors Role: The Board provides oversight regarding ERM including direction, guidance, and monitoring. The Board may delegate the responsibilities outlined below to the Audit & Risk Committee. Responsibilities: ● ●

●

●

●

●

●

● Audit & Risk Committee

Role: The Audit & Risk Committee provides oversight of the ERM Program (when delegated to do so by the Board). Responsibilities: ●

●

●

●

●

●

●

●

●

● ●



President & Chief Executive Officer

Role: The President and CEO is directly accountable to the Board for the management of all risks and the implementation of the ERM Program. The President and CEO may delegate the responsibilities outlined below: Responsibilities: ●

●

●

●

●

●

● ●

Director, Corporate Strategy and Communications

Role: The Director, Corporate Strategy and Communications is the ERM sponsor and responsible for implementing, integrating, and facilitating the ERM program. Responsibilities: ●

●

●

●

●

●

●

●

●

●

● ●



●

●

●

Executive Committee

Role: The EC supports the implementation of the ERM Program and manages risks from an enterprise-wide perspective. Responsibilities: ●

●

●

●

●

Risk Owner Role: Responsible for the day-to-day management of the risks assigned to the risk owner. Responsibilities: ●

●

Safety Codes Council Employees

Role: Responsible for the day-to-day management of the risks. Responsibilities: ●

●


Included below is a sample summarized risk register template, which includes example risk information to

illustrate the risk register template. The risk register is contained in a separate MS Excel document.

Risk Name Risk Statement Inherent

Risk Score

Existing Controls Residual

Risk Score

Treatment Strategy

Recruitment & Retention

Risk that the Council is unable to recruit and retain sufficient, qualified staff.

20.0

Performance management process is in place

Employee engagement survey conducted annually

9.0 Reduce


The table below outlines the reporting requirements, in terms of the type of information for each stakeholder,

who delivers / presents the information, the frequency, and the forum for discussion.

Stakeholders Type of Risk Management

Information Reporting

Responsibility Timing

Format of Report

Forum for Discussion

Board of Directors

Analysis of top 10 risks over a three to five-year period

CEO Annually Dashboard reporting

Board Meeting

Summary of extreme and high risks, with key risk indicator analysis and

trending.

CEO Annually Dashboard reporting

Board Meeting

Review of risk register CEO Annually Dashboard reporting

Board Meeting

Audit & Risk Committee


Director Corporate Strategy &

Communications

Quarterly Dashboard reporting


Meeting

Summary of extreme and high risks, with key risk indicator analysis and

trending.


Communications



Meeting

Summary of extreme and high risks with updates on

risk treatment implementation progress.


Communications



Meeting

Summary of new risks


Communications



Meeting

EC



Communications


EC Meeting

Summary of extreme and high risks, with KRI analysis

and trending.


Communications

Quarterly

Dashboard reporting

and prioritized

risk register

EC Meeting

Summary of extreme and high risks with updates on

risk treatment implementation progress.


Communications


EC Meeting

Summary of new risks


Communications


EC Meeting


Contact:

Erin Stroud

Director Corporate Strategy & Communications

Phone: 780.392.1366

Email: [email protected]

safety codes council

Documents